Securing Technology is No Longer a ‘First World Problem’

In October, 2018, more than 4,000 professionals gathered in Abidjan, the economic capital of Ivory Coast, one of the most populous French-speaking cities in Africa, to discuss one of the developing world’s greatest challenges: cybersecurity. A recent report sanctioned by the Africa CyberSecurity Conference estimates that the continent lost about $3.7 billion dollars to cybercrime in 2017. It also found that more than 90% of African businesses were operating below the cybersecurity “poverty line.” This meant that they couldn’t adequately protect themselves against losses, and that official agencies were digitizing services without understanding how it could open them up to risks.

It’s time for international development practitioners, government policymakers, cybersecurity practitioners, and industry stakeholders to come together and collectively address the growing cybersecurity risks of connected technology in the developing world. These are risks that not only impact the world’s most vulnerable populations, but have political and economic implications for the West as well.

Connectivity is exploding in the developing world. In Africa, drone technology is becoming increasingly important for water and land management, and for border security. In Latin America, high-speed communication has increased agricultural productivity by optimizing irrigation and the use of fertilizer and pesticide. According to a 2016 survey, 88% of households in India had a mobile phone, but far fewer households had access to toilets or tap water. In South Asia, increased cost of food has led to decline in healthy food consumption but the number of monthly active internet users has increased by 70 million since 2015. Given the extreme lack of access to societal privileges, these populations lack the ability to bounce back and recover from any form of exploitation, including threats in cyberspace.

It’s time for international development practitioners, government policymakers, cybersecurity practitioners, and industry stakeholders to come together and collectively address the growing cybersecurity risks of connected technology in the developing world.

Rapidly growing tech development is also making possible the achievement of the Sustainable Development Goals, the United Nations’ blueprint to achieve a better and more sustainable future for all. But communities who need assistance reaching Sustainable Development Goals, through technology or otherwise, are the most fragile, and they lack the resilience and safeguards that other, more resourced populations have if their security or privacy is breached.

When Marriott suffered a data breach of its Starwood Guest Reservation database, for instance, the hospitality behemoth offered victims a dedicated call center and free identity monitoring. For tech users in developing countries, service providers are more likely to be operating below the cyber poverty line, without the internal resources to offer their clients substantive recourse in the event of an incident. This results in a double bind situation: vulnerable populations can utilize technology as a means of growing extremely fragile economic or human capital, but are left even more marginalized than before if exploited through the use of that technology.

Generally speaking, cybersecurity is not a high priority for much of the development community or the multinational corporations who build infrastructure in the developing world, and for (seemingly) good reason. After all, the logic goes, who cares about securing data when there are mouths to feed and roads to build? Likewise, most cybersecurity practitioners in developed nations don’t have the Global South on their radar either - who has time to think about Nigeria when we’re focused on state-sponsored vacuuming of intellectual commercial property? But the dynamic is changing; the sustainability of development projects and global security depend on setting new priorities, and addressing some of the developing world’s unique cyber risks.

For example, the rapidly growing tech ecosystem in the developing world offers a tantalizing opportunity for organized cybercrime syndicates and for traditional criminals who use the Internet for cyber-enabled crime. Network infrastructure and access is growing faster than legislative reform or law enforcement capacity in many developing countries. Cyber criminals know and take advantage of this, and routinely launch fraud campaigns via infected hosts in developing countries – in many cases from their comfortable home positions elsewhere. These campaigns target locals, Westerners living or travelling locally, and victims abroad. This should be a concern to Western cybersecurity practitioners as well as development practitioners focused on effective rule of law.

The sustainability of development projects and global security depend on setting new priorities, and addressing some of the developing world’s unique cyber risks.

The infamous Nigerian Prince Email scam of recent years is one example of flagrant criminal exploitation of a developing nation’s IT infrastructure. In 2017, it is estimated that Nigeria’s economy lost US $650m due to cybercrime. While Nigeria has taken enormous steps to counter this threat, engaging the global donor community in the process, cyber criminals know this as well, and simply hop across borders, reinvent themselves next door, and the cycle repeats. Sustainable development depends heavily on a country having a stable and trustworthy legal system. If citizens cannot depend on the law to protect them, other socio-economic factors are negatively affected.

Another alarming factor in cyber risk globally is China’s massive development investments across the African continent. In the past ten years, China has quietly become the single largest foreign investor in telecommunication infrastructure in Africa. In addition to immense Chinese government-provided foreign assistance, private sector giants are subsidizing connected technology projects as well. Huawei is supplying the hardware for Smart City projects in South Africa, and the Republic of Kenya and Huawei signed a 2017 agreement to build a government cloud infrastructure. Telecom giants Huawei and ZTE have overhauled Ethiopia’s telecommunication systems, relying on loans from China’s state-owned Export-Import bank for more than US $3billion.

This matters because China’s track record of cyber-enabled data theft is legendary. In January 2018, a report by French paper Le Monde alleged that China had used its role in constructing the US $200m African Union Commission headquarters and its IT infrastructure to compromise the facility, directing the AU computer network to send data to servers in Shanghai on a daily basis. Two men who are part of a hacking group associated with the Chinese government were indicted by the US Department of Justice in December 2018, and are charged with stealing information from more than 45 victim organizations.

These patterns are a major red flag for development policymakers. Poor nations who are desperate to grow their digital economies cannot afford to turn down assistance from China. Because of this, policymakers must get smart on China’s involvement in ICT infrastructure development, educate aid recipients on the risks of a questionable supply chain, and work to ensure that critical systems are acquired from highly trusted sources. Otherwise, the political and security ramifications are extraordinary.

Fortunately, there is hope. The opportunities afforded by connected technology to developing communities far outweigh the risks when those risks are managed, collectively, by a group of invested stakeholders. And, any good cybersecurity engineer or policymaker will tell you it is far easier and less expensive to build in cybersecurity considerations in policy or in technology from the ground up, rather than to bolt it on later. Some suggestions for doing just that include:

• Cybersecurity practitioners must be ready to help educate and build the capacity of their colleagues in the developing world. Planning for cybersecurity requires a level of aptitude that may not be available to project managers and aid recipients, who have traditionally been concerned with less technical priorities. Western cybersecurity practitioners have a wealth of information available, including extensive lessons learned in creating open, reliable and secure IT infrastructure. Hardware and software vendors and managed services providers should look for and create opportunities to engage with the development community, and begin to plant seeds for future partnerships that can benefit both parties as economic growth opportunities present themselves in emerging markets.
• Private sector corporations operating in the Global South should conduct thorough cyber risk analysis of the connected infrastructure they build for developing communities. Public-private partnerships and public sector investments in global development are only increasing, and these communities must institutionalize addressing cyber risk, just as they have done so for financial risks. Private sector development projects should include engineering plans that abide by international standards for security. In addition, projects should include long-term assistance to build the workforce and processes needed to sustain reliable and secure networks and data in the communities they support.
• Development community project managers have to plan for cybersecurity right from the start. In the world of international development, projects are often funded by donors in conjunction with native governments, by one or more donors alone, or by combinations of traditional donors and private investors. When projects are scoped, donors have the unique and significant opportunity to build security and privacy controls into connected technology initiatives right from the start.
• Critical sectors - pay attention. Finally, private sector companies, development practitioners, and cybersecurity experts working in the energy and financial sectors– take heed. Your focus areas are already in the crosshairs of cyber threat actors in the developing world. In December 2015, Russian hackers took control of three Ukrainian electricity distribution systems, opened breakers at more than 30 substations, and caused more than 200,000 consumers to lose power. In February 2016, a Bangladesh Central Bank official's computer was hacked, and cyber criminals stole US $81m from the bank’s account at the New York Federal Reserve. Now is the time to come together to work collectively on the people, process, and technology fundamentals of cybersecurity as they apply to the developing world.

Just as in traditional development projects like dams, roads, and irrigation systems, failed connected technology projects can result in unfulfilled promises and disillusion which are blows marginalized communities cannot afford to suffer.